description | title | author |
---|---|---|
Quickly build API-centric applications. Leverage the latest microservice and container design patterns. And tie it all together with the Kong microservice API gateway. |
API Gateway (powered by Kong CE) |
ll911 [email protected] |
- https://github.com/bcgov/gwa/wiki/Developer-Guide
- https://catalogue.data.gov.bc.ca/dataset/api-gateway-administration
- Current Kong version
- DataBC Cluster version=> kong-ce.0.14.1
- OpenShift Cluster version => kong-ce.1.4.3
- DB mode: backend support postgres or cassandra - PostgreSQL recommanded for OpenShift Cluster and PostgreSQL can be managed seperately
- DB-less mode: using k8s configmaps or secrets, oidc bridge not available in this mode.
- OpenAPI Specs supported version => 3.x(current), 2.x (deprecated)
- APIs already behind GW https://catalogue.data.gov.bc.ca/dataset?tags=API
- BCGOV API registry (API published under OpenAPI Specs) https://catalogue.data.gov.bc.ca/group/bc-government-api-registry
- enabled for wildcard TLS+SNI for
*.api.gov.bc.ca
,*.data.gov.bc.ca
- enabled for WAM siteminder agent protection for
*.apps.gov.bc.ca
- current Gateway backend - Kong (https://github.com/kong/kong) API gateway
- Used for common logic like rate-limit, app2app authentication like apiKeys, token, keycloak oidc.etc
- if you are building an API, register your API in https://argg.apps.gov.bc.ca/int/
- Demo,
- httpbin api: https://gwa-demo.pathfinder.gov.bc.ca/ (it may not be always running, use the k8s specification file below to create the object anywhere that has k8s/okd running)
- code: https://github.com/bcgov/gwa/blob/master/k8s/gateway-dbless-demo.yaml
- DataBC, https://data.gov.bc.ca/ is entirely driven by API https://dbcfeeds.api.gov.bc.ca/ no db backend
- WorkBC, https://www.workbc.ca/api, WorkBC manage and host their own API but proxy via our gateway for common features like ratelimit, SSL, etc.
- GCPE/GDX, Site Analytics Services running behind Gateway using IP Anonymity for Privacy Act compliance
- Use API Gateway with OpenID Connect (e.g. BCGOV-SSO AKA Keycloak integration without write the logic in your code)
- current Kong cluster is running parallel with OpenShift cluster Kamloops in Zone D plus RRDNS across from Kamloops/Calgary Datacenter
- backend API, you can host your API anywhere, e.g. OCP Kamloops cluster
- Kong Cluster Production is running on a mixed of OpenShift cluster, RHEL VMs, Physical Servers across from Kamloops and Calgary datacenter.
- traffic pattern:
- A, self managed database-less/sidecar gateway
*.pathfinder.gov.bc.ca or your own DNS
(F5 VIP) =>OpenShift Router
=> Gateway ReplicaSets => your running pods - B, using DataBC managed gateway
*.api.gov.bc.ca or your own DNS
(API Gateway Cluster) =>OpenShift Router
=> your running pods - C, using DataBC managed gateway
*.api.gov.bc.ca or your own DNS
(API Gateway Cluster) => your running app/api/svc elsewhere
- A, self managed database-less/sidecar gateway
- kong 1.4+, database-less gateway support declarative configuration via yaml or json
- Admin UI improvement
- Support
PROXY_PROTOCOL
in traffic pattern B mentioned above for better performance in TLS end to end deployment.